Re: [SR-Users] SIP Attack

19 Apr 2012

      Hello,
I see the message gets to the config file, hitting sanity module. What 
you can do is to use fail2ban for automatic interaction with iptables -- 
you can inspire from this tutorial:
* http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack#fail2ban
You will just have a different condition, based on sanity and eventual 
some regexp to detect this specific case, to print the log message that 
is searched by fail2ban.
Cheers,
Daniel
On 4/17/12 5:21 PM, Reda Aouad wrote:
...
Hi,
Do you have any client that is sending a corrupt request to the 
"AddPac SIP Gateway" at 190.22.140.170, so that this gateway is 
replying "400 bad request" ? Maybe you could resolve this problem at 
the source..
If it's not the case, you can send an email to the owner of the IP 
address.
A quick lookup on the IP address on www.network-tools.com 
http://www.network-tools.com gives you a hint on the owner.
Reda
On Tue, Apr 17, 2012 at 17:19, Vineet Menon <mvineetmenon@gmail.com 
mailto:mvineetmenon@gmail.com> wrote:
IMHO preventing the packet to reach kamailio is better (via
iptables) than doing something in kamailio itself....

Regards,

Vineet Menon

On 17 April 2012 20:32, Ricardo Martinez <rmartinez@redvoiss.net
<mailto:rmartinez@redvoiss.net>> wrote:

    Hello.

    I was wondering if someone could help me here.  From time to
    time I stat to receive from the internet this SIP message :

    U 190.22.140.170:51316 <http://190.22.140.170:51316> ->
    64.76.154.110:5060 <http://64.76.154.110:5060>

    SIP/2.0 400 BadRequest.

    Via: .

    From: .

    To: .

    Call-ID: .

    CSeq: .

    User-Agent: AddPac SIP Gateway.

    Content-Length: 0.

    .

    At burst rate of 124 pps (packets per second), this meesage is
    entering to Kamailio routine and generating a lot of ERROR
    logs lie these :

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]: ERROR:
    <core> [msg_translator.c:1943]: ERROR:
    build_res_buf_from_sip_req: al

    as, parse_headers failed

    Apr  1 03:32:19 kmborde /usr/local/sbin/kamailio[2311]:
    WARNING: sanity [sanity.c:254]: sanity_check():
    check_required_headers(): fa

    iled to send 400 via sl reply

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]: ERROR:
    <core> [msg_translator.c:1943]: ERROR:
    build_res_buf_from_sip_req: al

    as, parse_headers failed

    Apr  1 03:32:20 kmborde /usr/local/sbin/kamailio[2301]:
    WARNING: sanity [sanity.c:254]: sanity_check():
    check_required_headers(): fa

    iled to send 400 via sl reply

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
    <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to
    header

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: INFO:
    <core> [parser/msg_parser.c:353]: ERROR: bad header field [To:
    <sip:Re

    gister=>5]

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]: ERROR:
    <core> [msg_translator.c:1943]: ERROR:
    build_res_buf_from_sip_req: al

    as, parse_headers failed

    Apr  1 03:32:23 kmborde /usr/local/sbin/kamailio[2320]:
    WARNING: sanity [sanity.c:254]: sanity_check():
    check_required_headers(): fa

    iled to send 400 via sl reply

    The only way that I have now for blocking this packet to hit
    the Kamailio server is via iptables :

    iptables -A INPUT -s 190.22.140.170 -p udp --dport 5060 --jump
    REJECT

    Is there a better way to do this?!

    Thanks in advance,

    **

    *Ricardo Martinez.-*

    _______________________________________________
    SIP Express Router (SER) and Kamailio (OpenSER) - sr-users
    mailing list
    sr-users@lists.sip-router.org
    <mailto:sr-users@lists.sip-router.org>
    http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing
list
sr-users@lists.sip-router.org <mailto:sr-users@lists.sip-router.org>
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla
Kamailio Advanced Training, April 23-26, 2012, Berlin, Germany
http://www.asipto.com/index.php/kamailio-advanced-training/

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [SR-Users] SIP Attack